[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Traffic handling and key management "divide and coquer"



I think that we are at a crucial point where we can make a change that will
turn our work to more focused and efficient, and hopefully fruitful. I
suggest we use a "divide and conquer" strategic.
We should first of all separate IPsec transforms traffic handling (i.e. ESP
and AH)  and key management work to different WGs (if I understand right,
this was raised by JI in the SAAG meeting).
This process is already happening as we speak - MSEC and KINK are working on
key management protocols that create IPsec SAs,  with different
requirements. ESP and AH will still be used for traffic handling.
If we will do the separation, we will soon be able to tell the industry that
the work on the IPsec transforms is done, which I think will be a great
advantage.

I think we should also allow for several key management protocols,
preferably with one framework.
This is the only way we will be able to cater for the requirements of "DSL
geeks" as well as "billion mobile users" (quoting Jari's words).

There are several actions that we need to take for this to happen:
1) Allow working groups other than IPsec to work on key management
protocols, this way we could shut down the IPsec WG and keep on working on
new key management protocols. As I said this is already happening.
2) Limit IPsec wg to only on the following IKE modifications : NAT
traversal, SCTP support and re-keying. The new IKE version should be a minor
version including only minor fixes (as outlined in the new suggested
charter).
3) Re-assure ourselves that the interface between transforms and key
management is clearly defined, and general enough to allow for the addition
of new key management protocols, without having to change the transforms.
4) Have a framework protocol for key management - I think it should be based
on ISAKMP. There is no need to re-invent transforms and proposals syntax for
each new key management protocol.
5) Have different requirements for different key management protocols. With
one common requirement - they should all create IPsec SAs. This way we could
have one requirements document include Identity protection, and allow for a
larger number of messages, and another that has no Identity Protection
requirement, and requires a small number of message. We can also have one or
several WGs in charge of the key management protocols.

 Sara.



Follow-Ups: